diff mbox series

[testsuite,v2] tests/extended_socket_class: test SMC sockets

Message ID 20240829132617.1610-1-stephen.smalley.work@gmail.com (mailing list archive)
State Accepted
Delegated to: Ondrej Mosnáček
Headers show
Series [testsuite,v2] tests/extended_socket_class: test SMC sockets | expand

Commit Message

Stephen Smalley Aug. 29, 2024, 1:26 p.m. UTC
Enable SMC sockets and their dependencies in the defconfig and
exercise them as part of the extended socket class tests.
This only verifies that socket create permission is checked
against the correct class. The tests only cover AF_SMC,
not IPPROTO_SMC.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
v2 drops the tests for IPPROTO_SMC since apparently that patch isn't
going anywhere.

 defconfig                                |  5 +++++
 policy/test_extended_socket_class.te     |  3 +++
 tests/extended_socket_class/sockcreate.c |  1 +
 tests/extended_socket_class/test         | 22 ++++++++++++++++++++++
 4 files changed, 31 insertions(+)

Comments

Stephen Smalley Sept. 10, 2024, 12:33 p.m. UTC | #1
On Thu, Aug 29, 2024 at 9:27 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> Enable SMC sockets and their dependencies in the defconfig and
> exercise them as part of the extended socket class tests.
> This only verifies that socket create permission is checked
> against the correct class. The tests only cover AF_SMC,
> not IPPROTO_SMC.
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Ping on this patch?

> ---
> v2 drops the tests for IPPROTO_SMC since apparently that patch isn't
> going anywhere.
>
>  defconfig                                |  5 +++++
>  policy/test_extended_socket_class.te     |  3 +++
>  tests/extended_socket_class/sockcreate.c |  1 +
>  tests/extended_socket_class/test         | 22 ++++++++++++++++++++++
>  4 files changed, 31 insertions(+)
>
> diff --git a/defconfig b/defconfig
> index 47938c1..b2d4a90 100644
> --- a/defconfig
> +++ b/defconfig
> @@ -131,3 +131,8 @@ CONFIG_KEY_NOTIFICATIONS=y
>  # This is not required for SELinux operation itself.
>  CONFIG_TRACING=y
>  CONFIG_DEBUG_FS=y
> +
> +# Test SMC sockets
> +CONFIG_INFINIBAND=m
> +CONFIG_SMC=m
> +CONFIG_SMC_LO=y
> diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te
> index c8840b4..6f0ebaa 100644
> --- a/policy/test_extended_socket_class.te
> +++ b/policy/test_extended_socket_class.te
> @@ -48,6 +48,9 @@ extended_socket_class_test(bluetooth_socket, socket)
>  # Test use of alg_socket for Alg (Crypto API) sockets instead of socket.
>  extended_socket_class_test(alg_socket, socket)
>
> +# Test use of smc_socket for SMC sockets instead of socket.
> +extended_socket_class_test(smc_socket, socket)
> +
>  #
>  # Common rules for all extended_socket_class test domains.
>  #
> diff --git a/tests/extended_socket_class/sockcreate.c b/tests/extended_socket_class/sockcreate.c
> index ee1d8f3..e3bbf0b 100644
> --- a/tests/extended_socket_class/sockcreate.c
> +++ b/tests/extended_socket_class/sockcreate.c
> @@ -47,6 +47,7 @@ static struct nameval domains[] = {
>  #define AF_QIPCRTR 42
>  #endif
>         { "qipcrtr", AF_QIPCRTR },
> +       { "smc", AF_SMC },
>         { NULL, 0 }
>  };
>
> diff --git a/tests/extended_socket_class/test b/tests/extended_socket_class/test
> index 86c706b..1e6299f 100755
> --- a/tests/extended_socket_class/test
> +++ b/tests/extended_socket_class/test
> @@ -6,6 +6,7 @@ BEGIN {
>      $test_count     = 6;
>      $test_bluetooth = 0;
>      $test_sctp      = 0;
> +    $test_smc       = 0;
>
>      # check if SCTP is enabled
>      if ( system("modprobe sctp 2>/dev/null && checksctp 2>/dev/null") eq 0 ) {
> @@ -19,6 +20,12 @@ BEGIN {
>          $test_bluetooth = 1;
>      }
>
> +    # check if SMC is supported
> +    if ( system("modprobe smc 2>/dev/null") eq 0 ) {
> +        $test_count += 2;
> +        $test_smc = 1;
> +    }
> +
>      plan tests => $test_count;
>  }
>
> @@ -131,3 +138,18 @@ $result = system(
>  "runcon -t test_no_alg_socket_t -- $basedir/sockcreate alg seqpacket default 2>&1"
>  );
>  ok($result);
> +
> +if ($test_smc) {
> +
> +    # Verify that test_smc_socket_t can create a SMC socket (AF_SMC).
> +    $result = system(
> +"runcon -t test_smc_socket_t -- $basedir/sockcreate smc stream default 2>&1"
> +    );
> +    ok( $result, 0 );
> +
> +    # Verify that test_no_smc_socket_t cannot create a SMC socket (AF_SMC).
> +    $result = system(
> +"runcon -t test_no_smc_socket_t -- $basedir/sockcreate smc stream default 2>&1"
> +    );
> +    ok($result);
> +}
> --
> 2.40.1
>
Ondrej Mosnacek Sept. 10, 2024, 12:57 p.m. UTC | #2
On Tue, Sep 10, 2024 at 2:33 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Aug 29, 2024 at 9:27 AM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > Enable SMC sockets and their dependencies in the defconfig and
> > exercise them as part of the extended socket class tests.
> > This only verifies that socket create permission is checked
> > against the correct class. The tests only cover AF_SMC,
> > not IPPROTO_SMC.
> >
> > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>
> Ping on this patch?

Whoops, sorry, the v2 has fallen through the cracks of my inbox... Now applied:
https://github.com/SELinuxProject/selinux-testsuite/commit/f71a462ee3816393098e0cc22728f387e2b1f846
diff mbox series

Patch

diff --git a/defconfig b/defconfig
index 47938c1..b2d4a90 100644
--- a/defconfig
+++ b/defconfig
@@ -131,3 +131,8 @@  CONFIG_KEY_NOTIFICATIONS=y
 # This is not required for SELinux operation itself.
 CONFIG_TRACING=y
 CONFIG_DEBUG_FS=y
+
+# Test SMC sockets
+CONFIG_INFINIBAND=m
+CONFIG_SMC=m
+CONFIG_SMC_LO=y
diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te
index c8840b4..6f0ebaa 100644
--- a/policy/test_extended_socket_class.te
+++ b/policy/test_extended_socket_class.te
@@ -48,6 +48,9 @@  extended_socket_class_test(bluetooth_socket, socket)
 # Test use of alg_socket for Alg (Crypto API) sockets instead of socket.
 extended_socket_class_test(alg_socket, socket)
 
+# Test use of smc_socket for SMC sockets instead of socket.
+extended_socket_class_test(smc_socket, socket)
+
 #
 # Common rules for all extended_socket_class test domains.
 #
diff --git a/tests/extended_socket_class/sockcreate.c b/tests/extended_socket_class/sockcreate.c
index ee1d8f3..e3bbf0b 100644
--- a/tests/extended_socket_class/sockcreate.c
+++ b/tests/extended_socket_class/sockcreate.c
@@ -47,6 +47,7 @@  static struct nameval domains[] = {
 #define AF_QIPCRTR 42
 #endif
 	{ "qipcrtr", AF_QIPCRTR },
+	{ "smc", AF_SMC },
 	{ NULL, 0 }
 };
 
diff --git a/tests/extended_socket_class/test b/tests/extended_socket_class/test
index 86c706b..1e6299f 100755
--- a/tests/extended_socket_class/test
+++ b/tests/extended_socket_class/test
@@ -6,6 +6,7 @@  BEGIN {
     $test_count     = 6;
     $test_bluetooth = 0;
     $test_sctp      = 0;
+    $test_smc       = 0;
 
     # check if SCTP is enabled
     if ( system("modprobe sctp 2>/dev/null && checksctp 2>/dev/null") eq 0 ) {
@@ -19,6 +20,12 @@  BEGIN {
         $test_bluetooth = 1;
     }
 
+    # check if SMC is supported
+    if ( system("modprobe smc 2>/dev/null") eq 0 ) {
+        $test_count += 2;
+        $test_smc = 1;
+    }
+
     plan tests => $test_count;
 }
 
@@ -131,3 +138,18 @@  $result = system(
 "runcon -t test_no_alg_socket_t -- $basedir/sockcreate alg seqpacket default 2>&1"
 );
 ok($result);
+
+if ($test_smc) {
+
+    # Verify that test_smc_socket_t can create a SMC socket (AF_SMC).
+    $result = system(
+"runcon -t test_smc_socket_t -- $basedir/sockcreate smc stream default 2>&1"
+    );
+    ok( $result, 0 );
+
+    # Verify that test_no_smc_socket_t cannot create a SMC socket (AF_SMC).
+    $result = system(
+"runcon -t test_no_smc_socket_t -- $basedir/sockcreate smc stream default 2>&1"
+    );
+    ok($result);
+}